b'Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n Information Technology Management Letter \n\n   for the Federal Emergency Management \n\n   Agency Component of the FY 2008 DHS \n\n           Financial Statement Audit \n\n\n                                           (Redacted)\n\n\n\n\n\n Notice: The Department of Homeland Security, Office of Inspector General has redacted the report for public\n release. A review under the Freedom of Information Act will be conducted upon request.\n\n\n\n\nOIG-09-48                                                                                      March 2009\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 25028\n\n\n\n\n                                           March 27, 2009\n\n\n                                               Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by\nthe Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General\nAct of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our\noversight responsibilities to promote economy, efficiency, and effectiveness within the department.\n\nThis report presents the information technology (IT) management letter for the Federal Emergency\nManagement Agency component of the FY 2008 DHS financial statement audit as of September 30,\n2008. It contains observations and recommendations related to information technology internal\ncontrol that were not required to be reported in the financial statement audit report (OIG-09-09,\nNovember 2008) and represents the separate restricted distribution report mentioned in that report.\nThe independent accounting firm KPMG LLP (KPMG) performed the audit of DHS\xe2\x80\x99 FY 2008\nfinancial statements and prepared this IT management letter. KPMG is responsible for the attached\nIT management letter dated December 5, 2008, and the conclusions expressed in it. We do not\nexpress opinions on DHS\xe2\x80\x99 financial statements or internal control or make conclusion on compliance with\nlaws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office, and\nhave been discussed in draft with those responsible for implementation. We trust this report will\nresult in more effective, efficient, and economical operations. We express our appreciation to all of\nthose who contributed to the preparation of this report.\n\n\n\n\n                                      Richard L. Skinner \n\n                                      Inspector General \n\n\x0c                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036\n\n\n\nDecember 5, 2008\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer\nFederal Emergency Management Agency\n\nChief Financial Officer\nFederal Emergency Management Agency\n\nLadies and Gentlemen:\n\nWe were engaged to audit the consolidated balance sheet of the U.S. Department of Homeland Security\n(DHS) as of September 30, 2008, and the related statement of custodial activity for the year then ended\n(referred to herein as \xe2\x80\x9cfinancial statements\xe2\x80\x9d). We were not engaged to audit the statements of net cost,\nchanges in net position, and budgetary resources for the year ended September 30, 2008 (referred to\nherein as \xe2\x80\x9cother financial statements\xe2\x80\x9d). Due to matters discussed in our Independent Auditors\xe2\x80\x99 Report,\ndated November 14, 2008, the scope of our work was not sufficient to enable us to express, and we did\nnot express, an opinion on the financial statements.\nIn connection with our fiscal year (FY) 2008 engagement, we considered the Federal Emergency\nManagement Agency\xe2\x80\x99s (FEMA) internal control over financial reporting by obtaining an understanding\nof FEMA\xe2\x80\x99s internal control, determining whether internal controls had been placed in operation,\nassessing control risk, and performing tests of controls in order to determine our procedures. We limited\nour internal control testing to those controls necessary to achieve the objectives described in\nGovernment Auditing Standards and Office of Management and Budget (OMB) Bulletin No. 07-04,\nAudit Requirements for Federal Financial Statements. We did not test all internal controls relevant to\noperating objectives as broadly defined by the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982\n(FMFIA). The objective of our engagement was not to provide an opinion on the effectiveness of DHS\xe2\x80\x99\ninternal control over financial reporting. Accordingly, we do not express an opinion on the effectiveness\nof DHS\xe2\x80\x99 internal control over financial reporting. Further, other matters involving internal control over\nfinancial reporting may have been identified and reported had we been able to perform all procedures\nnecessary to express an opinion on the DHS balance sheet as of September 30, 2008, and the related\nstatement of custodial activity for the year then ended, and had we been engaged to audit the other FY\n2008 financial statements.\nA control deficiency exists when the design or operation of a control does not allow management or\nemployees, in the normal course of performing their assigned functions, to prevent or detect\nmisstatements on a timely basis. A significant deficiency is a control deficiency, or combination of\ncontrol deficiencies, that adversely affects DHS\xe2\x80\x99 ability to initiate, authorize, record, process, or report\nfinancial data reliably in accordance with U.S. generally accepted accounting principles such that there is\nmore than a remote likelihood that a misstatement of DHS\xe2\x80\x99 financial statements that is more than\ninconsequential will not be prevented or detected by DHS\xe2\x80\x99 internal control over financial reporting. A\nmaterial weakness is a significant deficiency, or combination of significant deficiencies, that results in\nmore than a remote likelihood that a material misstatement of the financial statements will not be\nprevented or detected by the entity\xe2\x80\x99s internal control.\n\n\n\n\n                                    KPMG LLP, a U.S. limited liability partnership, is the U.S.\n                                    member firm of KPMG International, a Swiss cooperative.\n\x0cDuring our audit engagement, we noted certain matters with respect to FEMA\xe2\x80\x99s financial systems\xe2\x80\x99\ninformation technology (IT) general controls which we believe contribute to a DHS-level significant\ndeficiency that is considered a material weakness in IT general and application controls. These matters\nare described in the IT General Control Findings by Audit Area section of this letter.\nThe material weakness described above is presented in our Independent Auditors\xe2\x80\x99 Report, dated\nNovember 14, 2008. This letter represents the separate restricted distribution report mentioned in that\nreport.\n\nAlthough not considered to be material weaknesses, we also noted certain other matters during our audit\nengagement which we would like to bring to your attention. These matters are also described in the IT\nGeneral Control Findings by Audit Area section of this letter.\nThe material weakness and other comments described herein have been discussed with the appropriate\nmembers of management, or communicated through a Notice of Finding and Recommendation (NFR),\nand are intended For Official Use Only. We aim to use our knowledge of DHS\xe2\x80\x99 organization gained\nduring our audit engagement to make comments and suggestions that we hope will be useful to you. We\nhave not considered internal control since the date of our Independent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. In addition, we have\nprovided: a description of key FEMA financial systems and IT infrastructure within the scope of the FY\n2008 DHS financial statement audit engagement in Appendix A; a description of each internal control\nfinding in Appendix B; and the current status of the prior year NFRs in Appendix C. Our comments\nrelated to financial management and reporting internal controls have been presented in a separate letter to\nthe Office of Inspector General and the DHS Chief Financial Officer dated December 5, 2008.\n\nThis report is intended solely for the information and use of DHS management, DHS Office of Inspector\nGeneral, OMB, U.S. Government Accountability Office, and the U.S. Congress, and is not intended to be\nand should not be used by anyone other than these specified parties.\n\n\nVery truly yours,\n\x0c                             Department of Homeland Security\n\n                         Federal Emergency Management Agency \n\n                         Information Technology Management Letter\n                                    September 30, 2008\n\n               INFORMATION TECHNOLOGY MANAGEMENT LETTER \n\n\n                                    TABLE OF CONTENTS\n\n                                                                                               Page\n\nObjective, Scope and Approach                                                                   1\n\n\nSummary of Findings and Recommendations                                                         3\n\n\nIT General Control Findings by Audit Area                                                       4\n\n\n Findings Contributing to a Material Weakness in IT                                             4\n\n\n   Access Controls                                                                              4\n\n\n   Application Software Development and Change Controls                                         4\n\n\n   System Software                                                                              4\n\n\n   Service Continuity                                                                           4\n\n\n   Entity-wide Security Program Planning and Management                                         4\n\n\n Other Findings in IT General Controls                                                          6\n\n\n   Access Controls                                                                              6\n\n\n   Service Continuity                                                                           6\n\n\n   System Software                                                                              6\n\n\n   Entity-wide Security Program Planning and Management                                         6\n\n\n   Segregation of Duties                                                                        6\n\n\nApplication Control Findings                                                                    9\n\n\nManagement Comments and OIG Response                                                            9\n\n\n                                          APPENDICES\n\n\n    Appendix                                        Subject                                    Page\n\n                     Description of Key Federal Emergency Management Agency Financial \n\n                     Systems and Information Technology Infrastructure within the Scope of \n\n        A                                                                                       10\n                     the FY 2008 Department of Homeland Security Financial Statement\n                     Audit Engagement\n\n                     FY 2008 Notices of Information Technology Findings and \n\n        B                                                                                       12\n                     Recommendations at the Federal Emergency Management Agency\n\x0c           Department of Homeland Security\n       Federal Emergency Management Agency\n       Information Technology Management Letter\n                  September 30, 2008\n\n\n    Status of Prior Year Notices of Findings and Recommendations and\nC   Comparison to Current Year Notices of Findings and Recommendations   26\n    at the Federal Emergency Management Agency\n\nD   Management Comments                                                  34\n\x0c                                 Department of Homeland Security\n\n                             Federal Emergency Management Agency \n\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n                               OBJECTIVE, SCOPE AND APPROACH\n\nWe were engaged to perform audit procedures over Department of Homeland Security (DHS) information\ntechnology (IT) general controls in support of the fiscal year (FY) 2008 DHS balance sheet and statement\nof custodial activity audit engagement. The overall objective of our engagement was to evaluate the\neffectiveness of IT general controls of DHS\xe2\x80\x99 financial processing environment and related IT\ninfrastructure as necessary to support the engagement. The Federal Information System Controls Audit\nManual (FISCAM), issued by the Government Accountability Office (GAO), formed the basis of our\naudit procedures. The scope of the IT general controls assessment performed at the Federal Emergency\nManagement Agency (FEMA) is described in Appendix A.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to assist\nthem in planning their audit work and to integrate the work of auditors with other aspects of the financial\naudit. FISCAM also provides guidance to IT auditors when considering the scope and extent of review\nthat generally should be performed when evaluating general controls and the IT environment of a federal\nagency. FISCAM defines the following six control functions to be essential to the effective operation of\nthe IT general controls environment.\n\n\xef\xbf\xbd\t Entity-wide security program planning and management (EWS) \xe2\x80\x93 Controls that provide a framework\n   and continuing cycle of activity for managing risk, developing security policies, assigning\n   responsibilities, and monitoring the adequacy of computer-related security controls.\n\xef\xbf\xbd\t Access control (AC) \xe2\x80\x93 Controls that limit and/or monitor access to computer resources (data,\n   programs, equipment, and facilities) to protect against unauthorized modification, loss, and disclosure.\n\xef\xbf\xbd\t Application software development and change control (ASDCC) \xe2\x80\x93 Controls that help to prevent the\n   implementation of unauthorized programs or modifications to existing programs.\n\xef\xbf\xbd\t System software controls (SS) \xe2\x80\x93 Controls that limit and monitor access to powerful programs that\n   operate computer hardware and secure applications supported by the system.\n\xef\xbf\xbd\t Segregation of duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to prevent one individual from controlling key aspects of computer-related operations, thus\n   deterring unauthorized actions or access to assets or records.\n\xef\xbf\xbd\t Service continuity (SC) \xe2\x80\x93 Controls that involve procedures for continuing critical operations without\n   interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our IT general controls audit procedures, we also performed technical security testing for\nkey network and system devices, as well as testing over key financial application controls. The technical\nsecurity testing was performed both over the Internet and from within select FEMA facilities, and focused\non test, development, and production devices that directly support FEMA\xe2\x80\x99s financial processing and key\ngeneral support systems.\n\nIn addition to testing FEMA\xe2\x80\x99s IT general control environment, we performed testing of automated\napplication controls on a limited number of FEMA\xe2\x80\x99s financial systems and applications. The application\ncontrol testing was performed to assess the controls that support the financial systems\xe2\x80\x99 internal controls\nover the input, processing, and output of financial data and transactions.\n\n\n\n\n                                                     1\n   Information Technology Management Letter for the FEMA Component of the FY 2008 DHS \n\n                                Financial Statement Audit \n\n\x0c                                 Department of Homeland Security\n\n                             Federal Emergency Management Agency \n\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n\xef\xbf\xbd\t Application controls (APC) - Application controls are the structure, policies, and procedures that\n   apply to separate, individual application systems, such as accounts payable, inventory, payroll, grants,\n   or loans.\n\n\n\n\n                                                    2\n   Information Technology Management Letter for the FEMA Component of the FY 2008 DHS \n\n                                Financial Statement Audit \n\n\x0c                                 Department of Homeland Security\n\n                             Federal Emergency Management Agency \n\n                             Information Technology Management Letter\n                                        September 30, 2008\n\n                     SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2008, FEMA took corrective action to address prior year IT control weaknesses. For example,\nFEMA made improvements by restricting access to offline account tables, implementing an alternate\nprocessing site for one of its financial applications, and improving the process for retaining National\nFlood Insurance Program (NFIP) change control documentation. However, during FY 2008, we\ncontinued to identify IT general control weaknesses at FEMA. The most significant weaknesses from a\nfinancial statement audit perspective related to controls over access to programs and data and controls\nover program changes. Collectively, the identified IT control weaknesses limited FEMA\xe2\x80\x99s ability to\nensure that critical financial and operational data were maintained in such a manner to ensure\nconfidentiality, integrity, and availability. In addition, these weaknesses negatively impacted the internal\ncontrols over FEMA financial reporting and its operation, and we consider them to collectively represent\na material weakness for FEMA under standards established by the American Institute of Certified Public\nAccountants (AICPA). The applicable IT findings were combined into one material weakness regarding\nIT in our Independent Auditors\xe2\x80\x99 Report, dated November 14, 2008, on the DHS consolidated financial\nstatements.\n\nOf the 26 findings identified during our FY 2008 testing, 15 were repeat findings, either partially or in\nwhole from the prior year, and 11 were new findings. These findings were representative of five of the\nsix key FISCAM control areas, and the majority were inherited from the lack of properly designed,\ndetailed, and consistent guidance over financial system controls to enforce DHS 4300A, Information\nTechnology Security Program, requirements and National Institute of Standards and Technology (NIST)\nguidance. Specifically, the findings stem from: 1) inadequately designed and operating access control\npolicies and procedures relating to the granting of access to systems and supervisor re-certifications of\nuser access privileges, 2) lack of properly monitored audit logs, 3) inadequately designed and operating\nchange control policies and procedures, 4) patch and configuration management weaknesses within the\nsystem, and 5) the lack of tested contingency plans. These weaknesses may increase the risk that the\nconfidentiality, integrity, and availability of system controls and FEMA financial data could be exploited,\nthereby compromising the integrity of financial data used by management and reported in the DHS\nfinancial statements.\n\nWhile the recommendations made by KPMG should be considered by FEMA, it is the ultimate\nresponsibility of FEMA management to determine the most appropriate method(s) for addressing the\nweaknesses identified based on system capabilities and available resources.\n\n\n\n\n                                                     3\n   Information Technology Management Letter for the FEMA Component of the FY 2008 DHS \n\n                                Financial Statement Audit \n\n\x0c                                Department of Homeland Security\n\n                            Federal Emergency Management Agency \n\n                            Information Technology Management Letter\n                                       September 30, 2008\n\n                      IT GENERAL CONTROL FINDINGS BY AUDIT AREA\n\nConditions: In FY 2008, the following IT and financial system control weaknesses were identified at\nFEMA and contribute to a DHS-level significant deficiency that is considered a material weakness in IT\ngeneral and application controls:\n\n\n1.\t Access controls \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t User account lists were not periodically reviewed for appropriateness, resulting in inappropriate\n       authorizations and excessive user access privileges;\n    \xef\xbf\xbd\t Accounts were not disabled or removed promptly upon personnel termination;\n    \xef\xbf\xbd\t Audit logs were not reviewed or evidence of audit log reviews was not retained; and\n    \xef\xbf\xbd\t Security patch management and configuration weaknesses exist on hosts supporting the key\n       financial applications and general support systems.\n\n\n2.\t Application software development and change controls \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t Emergency and non-emergency changes were made prior to management approval. Additionally,\n       changes made to the system did not always follow established procedures. Specifically,\n                         , test plans, test results, approvals, and software modifications were not\n       consistently performed or documented.\n\n\n3.\t System software \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t Evidence of system software audit log reviews is not retained.\n\n\n4.\t Service continuity \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t An alternate processing site is not operational for one of the FEMA financial systems.\n\n\n5.\t Entity-wide security program planning and management \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t Vulnerabilities identified from periodic scans are not reported and tracked via the Plan of Action\n       and Milestones (POA&M) process.\n\n\nRecommendations: We recommend that the FEMA Office of the Chief Information Officer (OCIO) and\nOffice of the Chief Financial Officer (OCFO), in coordination with the DHS OCIO and OCFO, make the\nfollowing improvements to FEMA\xe2\x80\x99s financial management systems and associated IT security program:\n\n\n\n\n                                                    4\n   Information Technology Management Letter for the FEMA Component of the FY 2008 DHS \n\n                                Financial Statement Audit \n\n\x0c                                  Department of Homeland Security\n\n                              Federal Emergency Management Agency \n\n                              Information Technology Management Letter \n\n                                         September 30, 2008\n\n1. For access controls:\n    \xef\xbf\xbd\t Develop and appropriately implement an access authorization process that ensures that a request\n       is completed and documented for each individual prior to granting him/her access to a financial\n       application or database;\n    \xef\xbf\xbd\t Implement an account management certification process within FEMA to ensure the periodic\n       review of user accounts for appropriate access and ensure that current user profiles are\n       appropriately documented;\n    \xef\xbf\xbd\t Implement a process to ensure that all system accounts of terminated employees and contractors\n       are immediately removed/end-dated/disabled upon their departure;\n    \xef\xbf\xbd\t Develop and implement detailed procedures requiring the consistent and timely review of \n\n       operating system and application logs for suspicious activity and the maintenance of \n\n       documentation supporting such reviews; and \n\n    \xef\xbf\xbd\t Conduct periodic vulnerability assessments, whereby systems are periodically reviewed for access\n       controls related to patch management and configuration management not in compliance with\n       DHS and other Federal guidance, and ensure that corrective action is developed, tracked, and\n       performed to remediate any security weaknesses identified.\n\n\n2.\t For application software development and change control:\n   \xef\xbf\xbd\t Further develop and enforce policies that require changes and emergency changes to the\n      application software to be approved, tested, and documented prior to implementation, and related\n      documentation to be appropriately maintained.\n\n\n3.\t For system software:\n    \xef\xbf\xbd\t Actively monitor the use of and changes related to operating systems and other sensitive utility\n       software and hardware, and maintain evidence of this monitoring.\n\n\n4.\t For service continuity:\n    \xef\xbf\xbd\t Ensure that alternate processing sites are established and made operational.\n\n\n5.\t For entity-wide security program planning and management:\n    \xef\xbf\xbd   Ensure that all vulnerabilities and weaknesses are reported and tracked via the POA&M process.\n\n\n\n\n                                                    5\n   Information Technology Management Letter for the FEMA Component of the FY 2008 DHS \n\n                                Financial Statement Audit \n\n\x0c                                 Department of Homeland Security\n\n                             Federal Emergency Management Agency \n\n                             Information Technology Management Letter \n\n                                        September 30, 2008\n\nOther Findings in IT General Controls\n\n\nAlthough not considered to be a material weakness, we also noted the following other matters related to\nIT and financial system control deficiencies during the FY 2008 audit engagement:\n\n\n1.\t Access controls \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t Interconnection Security Agreements (ISA) between FEMA and external parties were not in place\n       or not finalized;\n    \xef\xbf\xbd\t A formalized process does not exist to guide staff in the modification of system accounts to\n       ensure that appropriate privileges are created, documented, and approved for a specific function;\n    \xef\xbf\xbd\t Instances of inadequate or weak passwords that existed on key systems, servers and databases that\n       house financial data; and\n    \xef\xbf\xbd\t Workstations were configured without up-to-date anti-virus software.\n\n\n2.\t Service continuity \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t Full testing of a current and finalized contingency plan was not conducted; and\n    \xef\xbf\xbd\t Backup tapes are not tested on a quarterly basis.\n\n\n3.\t System software \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t Procedures for identifying and installing patches are in draft and have not been implemented; and\n   \xef\xbf\xbd\t   Developer changes to the directory and sub-directories of one financial application are not \n\n        monitored to review and validate implemented changes. \n\n\n\n4.\t Entity-wide security program planning and management \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t The system security plan for one financial system is not accurate and up-to-date.\n\n\n5.\t Segregation of duties \xe2\x80\x93 we noted:\n    \xef\xbf\xbd\t Documentation surrounding incompatible roles and responsibilities does not exist over a key\n       financial application, and policies and procedures for properly segregating incompatible duties\n       within the system are not documented.\n\n\nRecommendations: We recommend that the FEMA OCIO and FEMA OCFO, in coordination with the\nDHS OCIO and OCFO, make the following improvements to FEMA\xe2\x80\x99s financial management systems:\n\n\n                                                     6\n   Information Technology Management Letter for the FEMA Component of the FY 2008 DHS \n\n                                Financial Statement Audit \n\n\x0c                                  Department of Homeland Security\n\n                              Federal Emergency Management Agency \n\n                              Information Technology Management Letter \n\n                                         September 30, 2008\n\n\n1. For access controls:\n   \xef\xbf\xbd\t Ensure that ISAs are documented and finalized between FEMA and all applicable external parties;\n   \xef\xbf\xbd\t Develop and implement policies and procedures that document the process of adding, deleting,\n      and modifying                                                                functions to ensure\n      that the proper controls are in place for modifying user account privileges;\n   \xef\xbf\xbd\t Enforce password controls that meet DHS\xe2\x80\x99 password requirements on all key financial systems;\n      and\n   \xef\xbf\xbd\t Develop procedures to regularly review and monitor workstations to ensure that the most up-to\xc2\xad\n      date virus protection software is installed.\n\n\n2.\t For service continuity:\n   \xef\xbf\xbd\t Perform testing of key service continuity capabilities, including contingency planning. Ensure\n      that all contingency plans and related documentation are updated upon completion of testing; and\n   \xef\xbf\xbd\t Test backup tapes at least quarterly.\n\n\n3.\t For system software:\n   \xef\xbf\xbd\t Implement a patch management policy and enforce the requirement that systems are periodically\n      tested for vulnerabilities by FEMA and the DHS OCIO; and\n   \xef\xbf\xbd\t Establish a process within existing procedures for retaining documented evidence that developer\n      changes to a financial application directory and sub-directories are monitored to verify that only\n      authorized changes are implemented into production.\n\n\n4.\t For entity-wide security program planning and management:\n   \xef\xbf\xbd\t Finalize and implement the comprehensive system security plans for all key financial systems in\n      accordance with DHS and NIST guidance.\n\n\n5.\t For segregation of duties:\n    \xef\xbf\xbd\t Document duties that are incompatible, and develop and implement policies and procedures for\n       properly segregating incompatible duties within the system.\n\n\nCause/Effect: Many of these weaknesses originate from policy and system development activities that did\nnot incorporate strong security controls from the outset and will take several years to fully remediate.\nWhile FEMA has made improvements in addressing the root cause of some IT weaknesses and has\nworked to improve security controls, we found that focus is often still placed on the tracking of responses\n\n\n                                                     7\n   Information Technology Management Letter for the FEMA Component of the FY 2008 DHS \n\n                                Financial Statement Audit \n\n\x0c                                 Department of Homeland Security\n\n                             Federal Emergency Management Agency \n\n                             Information Technology Management Letter\n                                        September 30, 2008\n\nto audit recommendations, instead of on developing the most effective method of addressing the actual\ncontrol weakness. When weaknesses in controls or processes are identified, we noted that corrective\nactions implemented address the symptom of the problem and do not always correct the root cause,\nresulting in a temporary fix. Further, detection of these temporary fixes through self-evaluation is not\neffective, due to insufficient testing of IT controls and remediation activities. Finally, FEMA has\nundertaken several high priority and competing IT initiatives to improve its control environment and does\nnot always have sufficient resources to direct towards the implementation of security controls in a\nconsistent manner.\n\nReasonable assurance should be provided that financial system user access levels are limited and\nmonitored for appropriateness and that all user accounts belong to current employees and contractors.\nFurthermore, monitoring of the more highly privileged accounts is essential. The weaknesses identified\nwithin FEMA\xe2\x80\x99s access controls increase the risk that employees and contractors may have access to a\nsystem that is outside the realm of their job responsibilities or that a separated individual, or another\nperson with knowledge of an active account of a terminated employee or contractor, could use the\naccount to alter the data contained within the application or database without being detected. This may\nalso increase the risk that the confidentiality, integrity, and availability of system controls and the\nfinancial data could be exploited, thereby compromising the integrity of financial data used by\nmanagement and reported in the DHS financial statements.\n\nFurthermore, the lack of fully implemented security configuration management controls may result in\nsecurity responsibilities communicated to system developers improperly as well as the improper\nimplementation and monitoring of system changes. This also increases the risk of unsubstantiated\nchanges and changes that may introduce errors or data integrity issues that are not easily traceable back to\nthe changes. In addition, it increases the risk of undocumented and unauthorized changes to critical or\nsensitive information and systems, which may reduce the reliability of information produced by these\nsystems.\n\nCriteria: The Federal Information Security Management Act (FISMA), passed as part of the Electronic\nGovernment Act of 2002, mandates that Federal entities maintain IT security programs in accordance with\nOMB and NIST guidance. OMB Circular No. A-130, Management of Federal Information Resources, and\nvarious NIST guidelines describe specific essential criteria for maintaining effective IT general controls. In\naddition, OMB Circular No. A-127, Financial Management Systems, prescribes policies and standards for\nExecutive Branch departments and agencies to follow in developing, operating, evaluating, and reporting on\nfinancial management systems. For this year\xe2\x80\x99s IT audit procedures, we also assessed FEMA\xe2\x80\x99s compliance\nwith DHS Sensitive Systems Policy Directive 4300A, Information Technology Security Program.\n\n\n\n\n                                                     8\n   Information Technology Management Letter for the FEMA Component of the FY 2008 DHS \n\n                                Financial Statement Audit \n\n\x0c                                Department of Homeland Security\n\n                            Federal Emergency Management Agency \n\n                            Information Technology Management Letter\n                                       September 30, 2008\n\n                              APPLICATION CONTROL FINDINGS\n\n\nNo application control weaknesses were identified during our FY 2008 testing of IT controls.\n\n                    MANAGEMENT COMMENTS AND OIG RESPONSE\n\nWe obtained written comments on a draft of this report from FEMA Management. Generally, FEMA\nagreed with all of our findings and recommendations. FEMA has developed a remediation plan to\naddress these findings and recommendations. We have incorporated these comments where appropriate\nand included a copy of the comments at Appendix D.\n\nOIG Response\n\nWe agree with the steps that FEMA management is taking to satisfy these recommendations.\n\n\n\n\n                                                   9\n   Information Technology Management Letter for the FEMA Component of the FY 2008 DHS \n\n                                Financial Statement Audit \n\n\x0c                                                                           Appendix A\n\n                          Department of Homeland Security\n\n                      Federal Emergency Management Agency \n\n                      Information Technology Management Letter \n\n                                 September 30, 2008\n\n\n\n\n                                   Appendix A \n\n\n  Description of Key Federal Emergency Management Agency Financial\n\nSystems and Information Technology Infrastructure within the Scope of the \n\n  FY 2008 Department of Homeland Security Financial Statement Audit \n\n                              Engagement\n\n\n\n\n\n                                         10\n Information Technology Management Letter for the FEMA Component of the FY 2008 DHS \n\n                              Financial Statement Audit \n\n\x0c                                                                                          Appendix A\n\n                             Department of Homeland Security\n\n                         Federal Emergency Management Agency \n\n                         Information Technology Management Letter \n\n                                    September 30, 2008\n\n\nBelow is a description of significant Federal Emergency Management Agency (FEMA) financial\nmanagement systems and supporting information technology (IT) infrastructure included in the scope\nof the engagement to perform the financial statement audit.\n\nLocations of Audit: FEMA                                      .; the\n                  in                    ; the National Flood Insurance Program (NFIP) in\n             ; and the NFIP contractor location in                   .\n\nKey Systems Subject to Audit:\n\n\xef\xbf\xbd                                                                  \xe2\x80\x93       is the key financial\n    reporting system, and has several feeder subsystems (budget, procurement, accounting, and other\n    administrative processes and reporting).\n\n\xef\xbf\xbd                                                                    \xe2\x80\x93        is an integrated system\n    to provide FEMA, the states, and certain other federal agencies with automation to perform\n    disaster related operations.        supports all phases of emergency management and provides\n    financial-related data to      via an automated interface.\n\n                                                    (       - The        application acts as a central\n    repository of all data submitted by the Write Your Own (WYO) companies and              Direct\n    Servicing Agent.          also supports the NFIP, primarily by ensuring the quality of financial\n    data submitted by the WYO companies and the Direct Servicing Agent to              .       is a\n               -based application that runs on the NFIP             logical partition in\n\n\n\xef\xbf\xbd              - The general ledger application used by                                  to generate the\n    NFIP financial statements.            is a client-server application that runs on a          server\n    in                    , which is secured in the                     room. The            client is\n    installed on the desktop computers of the         Bureau of Financial Statistical Control group\n    members.\n\n\xef\xbf\xbd                                            \xc2\xad       is a web-based application which was developed\n    by                         specifically for FEMA grants.         allows grantees to access their\n    grant funds and upload SF 269s online. Draw down transaction information from            is\n    interfaced with        .        then interfaces with the U.S. Department of the Treasury\n    (Treasury) to transfer payment information to Treasury, resulting in a disbursement of funds to\n    the grantee.\n\n\n\n\n                                                 11\nInformation Technology Management Letter for the FEMA Component of the FY 2008 DHS \n\n                             Financial Statement Audit \n\n\x0c                                                                           Appendix B\n\n                          Department of Homeland Security\n\n                      Federal Emergency Management Agency \n\n                      Information Technology Management Letter \n\n                                 September 30, 2008\n\n\n\n\n                                   Appendix B\n\nFY 2008 Notices of Information Technology Findings and Recommendations\n             at the Federal Emergency Management Agency\n\n\n\n\n                                         12\n Information Technology Management Letter for the FEMA Component of the FY 2008 DHS \n\n                              Financial Statement Audit \n\n\x0c                                                                                             Appendix B\n\n                                 Department of Homeland Security\n\n                             Federal Emergency Management Agency \n\n                             Information Technology Management Letter\n                                        September 30, 2008\n\nNotice of Findings and Recommendations \xe2\x80\x93 Definition of Risk Ratings**:\n\nThe Notices of Findings and Recommendations (NFR) were risk ranked as High, Medium, and Low**\nbased upon the potential impact that each weakness could have on Federal Emergency Management\nAgency\xe2\x80\x99s (FEMA) information technology (IT) general control environment and the integrity of the\nfinancial data residing on FEMA\xe2\x80\x99s financial systems, and the pervasiveness of the weakness.\n\n** The risk ratings are intended only to assist management in prioritizing corrective actions,\nconsidering the potential benefit of the corrective action to strengthen the IT general control environment\nand/or the integrity of the DHS consolidated financial statements. The risk ratings, used in this context,\nare not defined by Government Auditing Standards, issued by the Comptroller General of the United\nStates, or the American Institute of Certified Public Accountants (AICPA) Professional Standards, and do\nnot necessarily correlate to a significant deficiency, as defined by the AICPA Professional Standards and\nreported in our Independent Auditors\xe2\x80\x99 Report on the DHS consolidated financial statements, dated\nNovember 14, 2008.\n\nCorrection of some higher risk findings may help mitigate the severity of lower risk findings, and\npossibly function as a compensating control. In addition, analysis was conducted collectively on all\nNFRs to assess connections between individual NFRs, which when joined together could lead to a control\nweakness occurring with more likelihood and/or higher impact potential.\n\nHigh Risk**: A control weakness that is more serious in nature affecting a broader range of financial IT\nsystems, or having a more significant impact on the IT general control environment and /or the integrity\nof the financial statements as a whole.\n\nMedium Risk**: A control weakness that is less severe in nature, but in conjunction with other IT\ngeneral control weaknesses identified, may have a significant impact on the IT general control\nenvironment and / or the integrity of the financial statements as a whole.\n\nLow Risk**: A control weakness minimal in impact to the IT general control environment and / or the\nintegrity of the financial statements.\n\n\n\n\n                                                    13\n   Information Technology Management Letter for the FEMA Component of the FY 2008 DHS \n\n                                Financial Statement Audit \n\n\x0c                                                                                                       Appendix B\n\n                                     Department of Homeland Security\n\n                                 Federal Emergency Management Agency \n\n                                 Information Technology Management Letter \n\n                                            September 30, 2008\n\n\n\n\n                            Federal Emergency Management Agency \n\n                           FY 2008 Notices of Information Technology \n\n                        Notices of Findings and Recommendations \xe2\x80\x93 Detail \n\n\n\n\n\n                                                    14\nInformation Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                        Appendix B\n\n                                               Department of Homeland Security\n\n                                           Federal Emergency Management Agency \n\n                                           Information Technology Management Letter \n\n                                                      September 30, 2008\n\n\n\n\n                                                                                                                                         Repeat    Risk\n  NFR #                            Condition                                           Recommendation                       New Issue\n                                                                                                                                          Issue   Rating*\nFEMA-IT-08\xc2\xad   During our vulnerability assessment technical             FEMA should implement the corrective actions                        X     High\n   02         testing, certain configuration management                 listed in the NFR for each technical control\n              weaknesses were identified on                             weakness identified.\n                                                        and\n\n                                database instances and on key\n              support servers. Specifically, servers were identified\n              with password and auditing configuration\n              weaknesses.\nFEMA-IT-08\xc2\xad          account users did not complete a new FEMA          Ensure that the Office of Chief Financial Officer                  X      High\n   03         Form 20-24 in response to the recertification process.    (OCFO) Procedures for Granting Access to\n                                                                                are consistently followed by continuing\n                                                                        to perform and document a review of all\n                                                                        accounts in accordance with DHS policy,\n                                                                        including supervisor verification of all access\n                                                                        privileges granted through the submission of a\n                                                                        new FEMA Form 20-24 by all federal\n                                                                        employees and contractors.\n\nFEMA-IT-08\xc2\xad   We noted that FEMA has made a management                  We recommend that FEMA develop and                                 X      Low\n   06         decision not to develop policies and procedures over      implement policies and procedures documenting\n              the modification of         account functions until       the process of adding, deleting, and modifying\n              the new          system upgrade occurs. We noted                 system functions to ensure that the\n              that FEMA has reported in the Plan of Action and          proper controls are in place for modifying user\n              Milestones that they expect to address corrective         account privileges.\n              action for this weakness in FY 2010. As a result, a\n              formalized process does not exist to guide Financial\n              Services Section (FSS) staff in the modification of\n\n\n\n                                                                       15\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                        Appendix B\n\n                                                Department of Homeland Security\n\n                                            Federal Emergency Management Agency \n\n                                            Information Technology Management Letter \n\n                                                       September 30, 2008\n\n                                                                                                                                         Repeat    Risk\n  NFR #                             Condition                                          Recommendation                       New Issue\n                                                                                                                                          Issue   Rating*\n              the system to ensure that appropriate privileges are\n              created, documented, and approved for a specific\n              function.\nFEMA-IT-08\xc2\xad   FEMA informed us that the automated manager                \xef\xbf\xbd   Dedicate resources to complete the review                     X      Medium\n   12         certification process has not yet begun. Therefore,            of          user access for FY 2008 and\n              the FY 2008 recertification has not been completed             conduct subsequent annual reviews of\n              and the risk of unauthorized users accessing                            user access by performing the\n              was present for a majority of the fiscal year.                 management certification process in\n                                                                             accordance with FEMA and DHS policies\n                                                                             and procedures.\n                                                                         \xef\xbf\xbd Fully implement the policies and procedures\n                                                                             in place for the         recertification\n                                                                             process and retain auditable records, in\n                                                                             accordance with DHS policy, that provide\n                                                                             evidence that recertifications are conducted\n                                                                             and completed periodically with timeliness.\nFEMA-IT-08\xc2\xad   KPMG was informed that terminated               users      Ensure that policies and procedures over                          X      High\n   13         are to have the \xe2\x80\x9c                 \xe2\x80\x9d role applied to        removal of separated user access to          and\n              their account profile prior to being removed from the              are consistently followed by removing\n              application, which overrides all existing roles and        accounts for any separated users immediately\n              deactivates any existing privileges within the             upon notification of separation according to\n              application although the individual can still log into     FEMA, DHS and National Institute of Standards\n              the account. However, FEMA Instruction 2200.7              and Technology guidance.\n              specifies that personnel separating from FEMA shall\n              have all         access privileges cancelled and their\n              user account removed. Consequently, although the\n              risk is mitigated by the limited access rights on the\n              accounts with the \xe2\x80\x9c                  \xe2\x80\x9d privilege, those\n              six accounts demonstrate that the policies and\n              procedures surrounding the           terminated user\n              process are not consistently applied and the accounts\n\n\n\n                                                                        16\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                          Appendix B\n\n                                               Department of Homeland Security\n\n                                           Federal Emergency Management Agency \n\n                                           Information Technology Management Letter \n\n                                                      September 30, 2008\n\n                                                                                                                                           Repeat    Risk\n  NFR #                            Condition                                           Recommendation                         New Issue\n                                                                                                                                            Issue   Rating*\n              have not been removed. Additionally, four (4) out of\n              the ten (10) accounts remained on the       system\n              with an active status.\n\nFEMA-IT-08\xc2\xad   There is no documented evidence to support that           We recommend that FEMA establish a process                           X      Medium\n   17         monitoring of the \xe2\x80\x9c         directory and sub\xc2\xad            within existing procedures for retaining\n              directories of      is occurring.                         documented evidence that the \xe2\x80\x9c           \xe2\x80\x9d\n                                                                        directory and sub-directories are being\n                                                                        monitored to verify that only authorized changes\n                                                                        are implemented into production.\n\nFEMA-IT-08\xc2\xad   While FEMA informed us that system software               We recommend that FEMA\xe2\x80\x99s process for                                 X      Medium\n   19         activity is logged, we were unable to obtain evidence     monitoring sensitive access and suspicious\n              that the audit logs were reviewed on a periodic basis.    activity on         system software include\n                                                                        retention of evidence that audit records are\n                                                                        proactively reviewed.\n\nFEMA-IT-08\xc2\xad   Per inspection of the Plan of Actions and Milestones,     \xef\xbf\xbd   Complete on-going efforts to fully establish                     X      High\n   22         we noted that corrective action was initiated by              and implement an alternate processing site\n              FEMA to implement an alternate processing facility            for the       system according to DHS\n              for          but that the alternate site has not been         4300A.\n              established.\n                                                                        \xef\xbf\xbd   Ensure that redundant servers are created at\n              Due to the magnitude of the project scope,                    the alternate processing site that is\n              implementation of an alternate processing site will           established for the          servers located at\n              not be achieved within twelve (12) months.                    the\n              Consistent with DHS policy for corrective actions                     during implementation of the\n              that cannot be implemented within twelve (12)                 alternate processing site.\n              months, a DHS IT Security Program Waiver\n              (number WR-2008-012) was approved by the DHS\n                                                                        \xef\xbf\xbd   Update the existing waiver, as required, in\n              Chief Information Security Officer in March 2008 to\n                                                                            accordance with effective DHS policy\n              provide FEMA with additional time to plan and\n\n\n                                                                       17\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                            Appendix B\n\n                                                 Department of Homeland Security\n\n                                             Federal Emergency Management Agency \n\n                                             Information Technology Management Letter \n\n                                                        September 30, 2008\n\n                                                                                                                                             Repeat    Risk\n  NFR #                             Condition                                             Recommendation                        New Issue\n                                                                                                                                              Issue   Rating*\n              develop an effective alternate processing site for               regarding waivers, and ensure that\n                     . Per DHS policy, the waiver must be                      compensating controls described in the\n              reviewed, updated, and re-approved by the                        waiver are effective and documentation of\n              appropriate management officials every six (6)                   their effectiveness is maintained as auditable\n              months.                                                          records.\n\n              As required by DHS policy, the approved waiver\n              describes the mitigating efforts, management\xe2\x80\x99s\n              acceptance of the associated residual risk, and a plan\n              for attaining compliance with DHS policy. The\n              waiver also documents the compensating controls to\n              mitigate risk until the alternate processing site is\n              implemented. The compensating controls are to be\n              derived by conducting annual table-top exercises and\n              ensuring that regular backups of critical            data\n              and offsite backup storage are performed. However,\n              a fully successful table-top test of         has not\n              been conducted for FY 2008. The waiver granted\n              provides an extension of time to implement\n              corrective action, but the associated risk still\n              remains.\n\nFEMA-IT-08\xc2\xad           system administrators conducted ad hoc               We recommend that FEMA develop and                                  X      Low\n   23         backup tape restores for system users and performed          implement procedures to periodically test the\n              a full database restore in March 2008 during a server               backups in accordance with DHS\n              upgrade. However, there was no evidence that                 Information Technology Security Program\n              quarterly testing was conducted or that FEMA has a           Publication 4300A requirements.\n              formalized process to test backup tapes more\n              frequently than annually.\nFEMA IT-08\xc2\xad   We noted that the tape restore schedule requires             We recommend that FEMA periodically test                            X      Low\n   24         quarterly testing of backup tapes beginning no earlier              backups on a quarterly basis in\n              than FY 2009.                                                compliance with FEMA and DHS policy.\n\n\n                                                                          18\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                         Appendix B\n\n                                               Department of Homeland Security\n\n                                           Federal Emergency Management Agency \n\n                                           Information Technology Management Letter \n\n                                                      September 30, 2008\n\n                                                                                                                                          Repeat    Risk\n  NFR #                            Condition                                           Recommendation                        New Issue\n                                                                                                                                           Issue   Rating*\n\n              Additionally, we determined that the\n              Contingency Plan was not tested and consequently a\n              full        backup tape restore did not occur in FY\n              2008. Rather,          system administrators\n              conducted ad hoc backup tape restores at the request\n              of system users during the fiscal year.\n\nFEMA-IT-08\xc2\xad   Due to the magnitude of the project scope to              \xef\xbf\xbd   Continue to dedicate resources towards X                               Medium\n   25         establish a \xe2\x80\x9creal-time\xe2\x80\x9d alternate processing site for         completing on-going corrective actions to\n                        FEMA was unable to implement corrective             implement a \xe2\x80\x9creal-time\xe2\x80\x9d alternate\n              actions to fully remediate the prior year finding             processing site for\n              within twelve (12) months. Consistent with DHS\n              policy for findings that cannot be remediated within      \xef\xbf\xbd   Update the existing waiver, as required, in\n              twelve (12) months, a DHS IT Security Program                 accordance with effective DHS policy\n              Waiver (number WR-2008-012) was approved by                   regarding waivers, and ensure that\n              the DHS Chief Information Security Officer in                 compensating controls described in the\n              March 2008 to provide FEMA with additional time               waiver are effective and documentation of\n              to plan and develop an effective alternate processing         their effectiveness is maintained as auditable\n              site for           Per DHS policy, the waiver must be         records.\n              reviewed, updated, and re-approved by the\n              appropriate management officials every six (6)\n                                                                        \xef\xbf\xbd   In the event that an updated waiver is denied\n              months. The waiver identifies that until the alternate\n                                                                            or when the alternate processing site is\n              processing site is implemented and full scale testing\n                                                                            established, conduct documented annual\n              can be conducted, compensating controls will be\n                                                                            tests of the          contingency plan that\n              implemented by conducting annual table-top\n                                                                            address all critical phases of the plan.\n              exercises.\n\n              Additionally, at the close of our audit test work, we     \xef\xbf\xbd   Update the            contingency plan based\n              determined that annual table-top testing had not been         on the lessons learned from table-top or full-\n              conducted and documented. We determined that the              scale testing results, as necessary.\n              most recently conducted table-top review of the\n\n\n                                                                       19\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                     Appendix B\n\n                                               Department of Homeland Security\n\n                                           Federal Emergency Management Agency \n\n                                           Information Technology Management Letter \n\n                                                      September 30, 2008\n\n                                                                                                                                      Repeat    Risk\n  NFR #                            Condition                                           Recommendation                    New Issue\n                                                                                                                                       Issue   Rating*\n                        contingency plan occurred on July 21, 2007\n              and was conducted for processes, procedures, and\n              scenarios identified in the contingency plan dated\n              June 29, 2007. We noted that the documented results\n              of the July 2007 test stated that FEMA was unable to\n              successfully complete steps that were planned to be\n              conducted during the Recovery Procedure Activation\n              phase due to material weaknesses and deficiencies\n              cited in the recovery procedures.\nFEMA-IT-08\xc2\xad   During our FY 2008 follow up test work, we tested a       We recommend that FEMA, in accordance                           X      Medium\n   28         selection of 40          non-emergency application        with DHS and FEMA policy, ensure that\n              level                                  that had                    non-emergency application level\n              occurred since October 1, 2007. Of the 40                 changes obtain all required approvals prior to\n              tested, we noted the following exceptions:                implementation into production and that\n                                                                        testing documentation is appropriately\n                  \xef\xbf\xbd    29     did not have testing                      retained.\n                       documentation attached to the      ;\n                  \xef\xbf\xbd    36     did not have\n                                                        approval;\n                       and\n                  \xef\xbf\xbd    32       did not have\n                                          approval\n\nFEMA-IT-08\xc2\xad   We noted that         approvals for        application    We recommend that FEMA, in accordance                           X      Medium\n   29         level emergency changes did not consistently follow       with DHS and FEMA policy, ensure that\n              FEMA and DHS guidance. Specifically, we                            application level emergency changes\n              determined that of 25 emergency            changes        obtain all required approvals prior to\n              selected for testing:                                     implementation into production and that\n                   \xef\xbf\xbd 22 changes did not have documented                 testing documentation is appropriately\n                       approval;                                        retained.\n                   \xef\xbf\xbd 4 did not have         approval prior to\n\n\n\n                                                                       20\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                            Appendix B\n\n                                                Department of Homeland Security\n\n                                            Federal Emergency Management Agency \n\n                                            Information Technology Management Letter \n\n                                                       September 30, 2008\n\n                                                                                                                                             Repeat    Risk\n  NFR #                             Condition                                           Recommendation                          New Issue\n                                                                                                                                              Issue   Rating*\n                        implementation into production;\n                   \xef\xbf\xbd 16 did not have         approval; and\n                   \xef\xbf\xbd 6 did not have related testing documentation\n                        attached.\nFEMA-IT-08\xc2\xad   We were referred to Section 2.2.1 of the NFIP              We recommend that NFIP document                                       X      Medium\n   38         Administrative Manual as guidance on segregating           duties that are incompatible and develop and\n              incompatible duties. Based on our review of the            implement policies and procedures for properly\n              manual, we noted that it does not include policies         segregating incompatible duties within the\n              and procedures regarding segregating incompatible          system.\n              duties within            Additionally, while we noted\n              that system roles and responsibilities have been\n              documented,            duties that are incompatible\n              are not documented.\n\nFEMA-IT-08\xc2\xad   During our test work, we noted that a planned update       \xef\xbf\xbd   Update and test the             Contingency                       X      Medium\n   39         and subsequent testing of the            Contingency           Plan, covering all critical phases of the plan\n              Plan was not conducted and that system fail-over               in accordance with DHS policy. In addition,\n              capability at the alternate processing site had not            NFIP should conduct a test of the system\n              been tested Additionally the NFIP                              fail-over capability at the alternate\n                                                                    )        processing site.\n              was not updated to include the\n                                                   and                   \xef\xbf\xbd   Revise the Disaster Recovery and             to\n              alternate processing facility or        critical data          incorporate the            and         alternate\n              files and restoration priorities.                              processing facility and the         critical\n                                                                             data files, as well as update the plans with\n                                                                             lessons learned from the testing.\nFEMA-IT-08\xc2\xad          user access is not managed in accordance            \xef\xbf\xbd   In support of the OCFO Procedures for                 X                  High\n   45         with account management procedures.                            Granting Access to            continue to\n                                                                             ensure the process for granting or modifying\n                                                                             access is monitored and that changes made\n                                                                             to user profiles outside of the recertification\n\n\n\n                                                                        21\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                     Appendix B\n\n                                               Department of Homeland Security\n\n                                           Federal Emergency Management Agency \n\n                                           Information Technology Management Letter \n\n                                                      September 30, 2008\n\n                                                                                                                                      Repeat    Risk\n  NFR #                            Condition                                        Recommendation                       New Issue\n                                                                                                                                       Issue   Rating*\n                                                                          process are documented and authorized by\n                                                                          supervisors, program managers, and\n                                                                          Contracting Officer\xe2\x80\x99s Technical\n                                                                          Representatives.\n                                                                      \xef\xbf\xbd   Ensure that the          Database User\n                                                                          Access Instruction is implemented\n                                                                          consistently by requiring that all existing\n                                                                          and new           users complete a current\n                                                                                          Database User Access Form.\n                                                                      \xef\xbf\xbd   Complete the development and\n                                                                          implementation of policies and procedures\n                                                                          over periodic recertification of all user\n                                                                          access to the                database, and\n                                                                          retain auditable records in accordance with\n                                                                          DHS polices and procedures as evidence\n                                                                          that recertifications are conducted and\n                                                                          completed periodically with timeliness.\n\nFEMA-IT-08\xc2\xad   The existing Memorandum of Understanding (MOU)          We recommend that FEMA complete the                   X                  Low\n   46         with the Department of Treasury expired in October      review, reauthorization, and re-issuance of a\n              2007.                                                   current MOU and Interconnection Security\n                                                                      Agreement (ISA) between the Treasury\xe2\x80\x99s\n                                                                      Financial Management Service and FEMA.\nFEMA-IT-08\xc2\xad   Based upon our review, we determined that the           Complete the reauthorization and reissuance of a      X                  Low\n   47         ISA between FEMA and the Small Business                 renewed ISA between FEMA and SBA, and\n              Administration (SBA) expired in July 2007 and           ensure that the ISA is subsequently reviewed,\n              has not been reauthorized and reissued, as required     updated as necessary, and reissued timely, as\n              by DHS policy.                                          required by DHS policy and/or the terms of the\n                                                                      agreement.\n\nFEMA-IT-08\xc2\xad   The vulnerabilities identified from the        scans    We recommend that FEMA implement a process            X                  Medium\n\n\n\n                                                                     22\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                           Appendix B\n\n                                                Department of Homeland Security\n\n                                            Federal Emergency Management Agency \n\n                                            Information Technology Management Letter \n\n                                                       September 30, 2008\n\n                                                                                                                                            Repeat    Risk\n  NFR #                             Condition                                            Recommendation                        New Issue\n                                                                                                                                             Issue   Rating*\n    48        are not reported and tracked via DHS\xe2\x80\x99 POA&M                 to ensure that weaknesses identified during\n              process.                                                    vulnerability assessment scans of\n                                                                           are formally reported and that associated\n                                                                          corrective actions are developed and tracked via\n                                                                          DHS\xe2\x80\x99 POA&M process.\n\nFEMA-IT-08\xc2\xad   We noted that the software was improperly                   Action was taken to correct this weakness               X                  Medium\n   49         configured so that the user\xe2\x80\x99s ability to change the         during the audit period. No further\n              following settings had not been disabled:                   recommendation is required.\n                   \xef\xbf\xbd                               for automatically\n                        scanning system files for threats, known\n                        viruses, and worms on a continuous basis\n                        when Windows is started;\n                   \xef\xbf\xbd                                        for\n                        automatically scanning Outlook and/or\n                        Outlook Express messages for viruses.\n                   \xef\xbf\xbd                                for automatically\n                        scanning incoming and outgoing Lotus\n                        Notes messages; and\n                   \xef\xbf\xbd                                  for scanning all\n                        incoming and outgoing e-mail messages\n                        other than Outlook and/or Outlook Express.\nFEMA-IT-08\xc2\xad   \xef\xbf\xbd On a daily basis, an automated report of                  We recommend that FEMA, in accordance with              X                  Medium\n   50                      database activity conducted by users           FEMA and DHS policy, continue to implement\n                   with elevated \xe2\x80\x9csuperuser\xe2\x80\x9d privileges is                procedures over audit logging processes for the\n                   generated and emailed to the Database                          application and database and retain\n                   Administrators (DBA) and FSS personnel for             evidence that audit records are proactively\n                   review. However, while this report is                  reviewed. Specifically, the evidence should\n                   distributed for review by the DBAs and FSS             provide a record of review that at a minimum\n                   staff, no evidence that the reviews are                notes the identity of the individual that reviewed\n                   conducted is retained.                                 the log (e.g., initials), the date of review, and\n\n\n\n                                                                         23\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                          Appendix B\n\n                                                 Department of Homeland Security\n                                             Federal Emergency Management Agency\n                                             Information Technology Management Letter\n                                                        September 30, 2008\n\n                                                                                                                                           Repeat    Risk\n  NFR #                              Condition                                          Recommendation                        New Issue\n                                                                                                                                            Issue   Rating*\n              \xef\xbf\xbd    We noted that while FEMA Instruction                  follow up actions taken, if required. \n\n                   2200.7, \n       User Access Instruction,\n\n                   assigns the responsibility of conducting this \n\n                   weekly review to FSS, FEMA personnel do\n\n                   not formally document that the review is \n\n                   conducted.\n\n\nFEMA-IT-08\xc2\xad   \xef\xbf\xbd    We noted that the Standard Operating                  We recommend that FEMA revise existing                  X                  High\n   51              Procedures (SOP) for Handling of                      procedures for            audit logging to include\n                   Audit Logs does not comprehensively address           a review of highly-privileged and administrator-\n                   requirements of FEMA Directive 140-1,                 level activities as required by FEMA and DHS\n                   FEMA Information Technology Security                  policy and ensure implementation of all \n\n                   Policy. Specifically, the SOP does not require\n       requirements, including retention of evidence of\n                   the monitoring of modifications to account            reviews of audit logs. \n\n                   tables and other highly-privileged and \n\n                   administrator-level activities. \n\n              \xef\xbf\xbd\t   We noted that the SOP requires database \n\n                   administrators to initial and retain printed logs\n\n                   as evidence that reviews are conducted as\n\n                   required. However, FEMA informed us that \n\n                   this portion of the SOP was not being \n\n                   performed. \n\n\nFEMA-IT-08\xc2\xad   Existing procedures do not provide a timeframe for         We recommend that FEMA finalize and                     X                  Medium\n   52         installing        patches. Finalization and                implement procedures that define the timeframe\n\n              implementation of the \n                                    in which security patches should be installed.\n                          - FEMA Information Security\n              Vulnerability Management, which specifies the\n              timeframe for installing security patches, has been\n              delayed due to organizational changes.\nFEMA-IT-08\xc2\xad   Upon inspection of the           System Security Plan      We recommend that FEMA ensure that                      X                  Medium\n\n\n\n                                                                        24\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                                                                               Appendix B\n\n                                                     Department of Homeland Security\n                                                 Federal Emergency Management Agency\n                                                 Information Technology Management Letter\n                                                            September 30, 2008\n\n                                                                                                                                                Repeat    Risk\n        NFR #                            Condition                                           Recommendation                        New Issue\n                                                                                                                                                 Issue   Rating*\n          53        (SSP) that is a part of the                               SSP is updated in accordance with DHS policy\n                                     package, we noted that the server        so that current system components and system\n\n                    and host names listed in Appendix B of the SSP are \n      owners are comprehensively documented in the \n\n                    not accurate. Specifically, the listing of system\n        plan.\n                    components is not comprehensive, and portions of\n                    information, such as system owners, are not up to\n                    date.\n     FEMA-IT-08\xc2\xad    In FY 2008, we determined that NFIP had                   We recommend that NFIP ensure that testing              X                  Medium\n        54          documented and implemented the                System      documentation for           changes is retained \n\n                    Change Control Procedures. During the audit, we \n         on file in accordance with DHS policy.\n\n                    determined that two (2) \n          changes had been \n\n                    implemented since October 1, 2007. We obtained \n\n                    change documentation for both changes and noted \n\n                    that testing documentation was not retained for these\n\n                    changes. \n\n\n     FEMA-IT-08\xc2\xad    During our FY 2008 test work, we noted that NFIP         We recommend that NFIP ensure that testing of            X                  Medium\n        55          documented and implemented the NFIP Technical            all changes is documented and retained on file in \n\n                    Services Department Production Systems Control \n         accordance with DHS and NFIP requirements. \n\n                    Unit Procedures that provide guidance on \n\n                    implementing changes into the production \n\n                    environment. We selected for testing eight (8) \n\n                    changes that had been implemented since October 1, \n\n                    2007. Of the eight (8) tested, we identified that test \n\n                    results were not available for one (1) change. \n\n\n\n\n\n* Risk ratings are only intended to assist management in prioritizing corrective actions. Risk ratings in this context do not correlate to\ndefinitions of control deficiencies as identified by the AICPA.\n\n\n\n                                                                             25\n        Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial Statement Audit\n\x0c                                                                                Appendix C\n\n                             Department of Homeland Security\n\n                         Federal Emergency Management Agency \n\n                         Information Technology Management Letter \n\n                                    September 30, 2008\n\n\n\n\n                                       Appendix C \n\n\nStatus of Prior Year Notices of Findings and Recommendations and Comparison \n\n           To Current Year Notices of Findings and Recommendations \n\n\n\n\n\n                                            26 \n\nInformation Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial\n                                      Statement Audit\n\x0c                                                                                                         Appendix C\n\n                                       Department of Homeland Security\n\n                                   Federal Emergency Management Agency \n\n                                   Information Technology Management Letter \n\n                                              September 30, 2008\n\n\n                                                                                               Disposition\nNFR No.                                     Description                                      Closed    Repeat\n\nFEMA-IT\xc2\xad During our technical testing, patch management weaknesses were identified             X\n  07-01  on Integrated                                                             ,\n         and                                                               systems.\n\nFEMA-IT\xc2\xad During our technical testing, configuration management weaknesses were                       FEMA-IT\xc2\xad\n  07-02  identified on          ,                  and key support servers.                             08-02\n\nFEMA-IT\xc2\xad We determined that the Financial Services Section (FSS) has created                          FEMA-IT\xc2\xad\n  07-03  procedures to review            user access on a semi-annual basis for                         08-03\n         appropriateness of access privileges granted to employees or contractors\n         within their organization. Additionally, we noted that a recertification of all\n                 users, which is also their semi-annual review of user access, began in\n         June 2007. Currently, FSS is in the process of validating           access for\n         users who responded to FSS\xe2\x80\x99 recertification request. In addition, FSS is\n         locking out the          users who did not respond. We determined that the\n         recertification of all existing        users has not been completed for FY\n         2007.\n\nFEMA-IT\xc2\xad The FEMA alternate processing site located in                  is not operational     X\n  07-04  for          FEMA is in the process of setting up a\n               ) to replicate data from the        production server at                and\n         send it to the        servers in             . Currently the        is not\n         complete and therefore, the          facility does not have the capability of\n         functioning as the alternate processing site for        if a disaster were to\n         occur.\n\nFEMA-IT\xc2\xad The       Security Test & Evaluation did not provide adequate                         X\n  07-05  documentation of the results to the accrediting authority and that the prior\n         year weakness still exists.\n\nFEMA-IT\xc2\xad There are not formal, documented procedures in place to require updates to                   FEMA-IT\xc2\xad\n  07-06  the        system documentation as       functions are added, deleted, or                      08-06\n         modified.\n\nFEMA-IT\xc2\xad We determined that FEMA has identified the                                            X\n  07-07                          ) as the alternate processing facility for           ;\n         however, it will not be fully operational until September 2007. Therefore, we\n         determined that the           contingency plan has not undergone a full-scale\n         test to show that the system can be brought back to an operational state at the\n         designated alternate site.\nFEMA-IT\xc2\xad We determined that the FEMA                                              has not      X\n  07-08  been updated to include the new listing of FEMA mission critical IT systems\n         as outlined in the Information Technology Services Directorate\n\n\n\n                                                            27 \n\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial\n                                        Statement Audit\n\x0c                                                                                                        Appendix C\n\n                                        Department of Homeland Security\n                                    Federal Emergency Management Agency\n                                    Information Technology Management Letter\n                                               September 30, 2008\n\n                                                                                              Disposition\nNFR No.                                     Description                                     Closed    Repeat\n\n             Implementation Plan.\n\nFEMA-IT\xc2\xad We noted that FEMA has begun to standardize all user workstations to                 X\n  07-09                           with                 installed, which would ensure\n         that all                 settings are properly applied to all users. Currently,\n         FEMA is upgrading older user workstations to                             or\n         providing users with new workstations. However, we noted that this process\n         will not be fully complete until January 2008. This weakness impacts\n\n\n            We noted that FEMA users are locked out of the system at the domain level\n            after three (3) consecutive failed login attempts; however, the user account\n            becomes unlocked and active again after five (5) minutes of inactivity.\n\nFEMA-IT\xc2\xad We determined that FEMA has begun to standardize all user workstations to            X\n  07-10                           with                  installed, which would ensure\n         that all                  settings are properly applied to all users. Currently,\n         FEMA is upgrading older user workstations to                              or\n         providing users with new workstations. However, we noted that this process\n         is not fully completed, and FEMA has estimated this process will not be\n         completed until January 2008.\n\n             This weakness impacts\n\nFEMA-IT- We noted that passwords for the         application can be re-used after six (6)     X\n  07-11  iterations which is not in compliance with DHS 4300A.\n\nFEMA-IT\xc2\xad We determined that the FEMA Chief Information Officer (CIO) provided                        FEMA-IT\xc2\xad\n  07-12 \n procedures to all Office Directors, Regional Directors and FEMA                              08-12 \n\n          Coordinating Officers for the periodic review of all        accounts and\n          position assignments on June 28, 2007. We noted that detailed procedures are\n          listed for the review of        accounts; however, the procedures do not state\n          the frequency of this review.\n\n            We noted that this review began on June 29, 2007 with a deadline of July 26,\n            2007 for accepting responses from users recertifying their        accounts.\n            Therefore, risk of unauthorized users accessing         was present for a\n            majority of the fiscal year.\n\nFEMA-IT- We determined that the FSS has created procedures to review          user                   FEMA-IT\xc2\xad\n  07-13  access on a semi-annual basis for appropriateness of access privileges granted                08-13\n         to employees or contractors within their organization. Additionally, we noted\n         that a recertification of all     users was performed in June 2007.\n\n\n\n                                                            28\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial \n\n                                        Statement Audit \n\n\x0c                                                                                                          Appendix C\n\n                                       Department of Homeland Security\n                                   Federal Emergency Management Agency\n                                   Information Technology Management Letter\n                                              September 30, 2008\n\n                                                                                                 Disposition\nNFR No.                                      Description                                       Closed   Repeat\n\n             Currently, FSS is in the process of validating       access for the users who\n             responded to FSS\xe2\x80\x99 recertification request and locking out the        users\n             who did not respond. We determined that the recertification of all existing\n                    users is not yet complete for FY 2007.\n\n            We determined that the FEMA CIO provided procedures to all Office\n            Directors, Regional Directors and FEMA Coordinating Officers for the\n            periodic review of all         accounts and position assignments on June 28,\n            2007. However, the procedures do not state the frequency of this review.\n            Furthermore, we noted that this review began on June 29, 2007 with a\n            deadline of July 26, 2007 for accepting responses from users recertifying their\n                    accounts. Therefore, the risk of unauthorized users accessing\n            was present for a majority of the fiscal year.\n\n            We noted that twenty-seven (27) terminated or separated FEMA employees\n            and contractors maintain active       user accounts.\n\n            We noted that seven hundred seventy (770) terminated or separated FEMA\n            employees and contractors maintain active        user accounts.\n\nFEMA-IT\xc2\xad We determined that IT Operations has created backup procedures entitled,                X\n  07-14                                         , for       and            dated July 27,\n         2007. However, we noted that the procedures were finalized on July 27,\n         2007, and that the risk was present for a majority of the fiscal year.\n\n            We noted that both         and          backup tapes are not rotated off-site to\n            the                .\n\n         We noted that the FEMA alternate processing site located in                    is\n         not operational for          We also noted that the          back-up facility has\n         redundant servers in place for the                  Database in June 2007.\n         Therefore, the risk was present for a majority of the fiscal year.\nFEMA-IT- We determined that FEMA created the                                                     X\n  07-15       ,            , dated June 29, 2007. We noted that this plan was in draft\n         form and that it does not fully identify the configuration management process\n         of\n\n            We determined that FEMA created the Supplemental Security Policy to the\n            DHS 4300A and 4300B, which details policies for restricting access to the\n            system software of FEMA IT systems. However, we noted that the draft\n            policy is dated June 14, 2007.\n\n            We noted that procedures over restricting access to          system software\n\n\n\n                                                             29\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial \n\n                                        Statement Audit \n\n\x0c                                                                                                              Appendix C\n\n                                        Department of Homeland Security\n                                    Federal Emergency Management Agency\n                                    Information Technology Management Letter\n                                               September 30, 2008\n\n                                                                                                    Disposition\nNFR No.                                      Description                                          Closed    Repeat\n\n            entitled,                                  Procedures, and            patch\n            management procedures were approved on June 29, 2007. However, we\n            noted that the risk was present for a majority of the fiscal year, and as a result,\n            the NFR will be re-issued for FY 2007.\n\nFEMA-IT- FEMA created the Supplemental Security Policy to the DHS 4300A and                         X\n  07-16  4300B, which details policies for restricting access to system software.\n         However, we noted that the policy is in draft and dated June 14, 2007.\n\n            FEMA has not documented procedures for restricting access to              system\n            software.\n\nFEMA-IT- We determined that FEMA created a                            Standard                             FEMA-IT\xc2\xad\n  07-17  Operating Procedures (SOP) for          However, the                                                08-17\n                  SOP was approved by the OCFO on June 29, 2007. Furthermore, we\n         noted the evidence that the \xe2\x80\x9c      \xe2\x80\x9d account was locked within the\n         environment on July 24, 2007. Therefore, we noted that the risk was present\n         for a majority of the fiscal year.\n\nFEMA-IT- FEMA created the Supplemental Security Policy to the DHS 4300A and                         X\n  07-18  4300B detailed policies for investigating and reporting any suspicious\n         activity detected when reviewing audit logs. However, we noted that the\n         policy is dated June 14, 2007 and is in draft form.\n\n            FEMA has not documented specific procedures to review suspicious system\n            software activity and access controls for\n\nFEMA-IT- FEMA created the Supplemental Security Policy to the DHS 4300A and                                FEMA-IT\xc2\xad\n  07-19  4300B detailed policies for monitoring sensitive access and investigating and                       08-19\n         reporting any suspicious activity detected when reviewing audit logs.\n         However, we noted that the policy is dated June 14, 2007 and is in draft form.\n\n            FEMA has not documented procedures to monitor and review sensitive access,\n            system software utilities and suspicious system software and access activities\n            for\n\nFEMA-IT\xc2\xad FEMA has adopted the DHS                           for           This policy               X\n  07-20  establishes required practices for managing DHS IT systems and\n         infrastructure solutions through a progression of activities for initiation,\n         planning, development, testing, implementation, operation, maintenance, and\n         retirement. However, we noted that the policy is dated January 27, 2006 and\n         is in draft form.\n\n\n\n\n                                                              30\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial \n\n                                        Statement Audit \n\n\x0c                                                                                                           Appendix C\n\n                                        Department of Homeland Security\n                                    Federal Emergency Management Agency\n                                    Information Technology Management Letter\n                                               September 30, 2008\n\n                                                                                                 Disposition\nNFR No.                                      Description                                       Closed    Repeat\n\nFEMA-IT\xc2\xad FEMA has adopted the DHS                           for            This policy           X\n  07-21  establishes required practices for managing DHS IT systems and\n         infrastructure solutions through a progression of activities for initiation,\n         planning, development, testing, implementation, operation, maintenance, and\n         retirement. However, we noted that the policy is dated January 27, 2006 and\n         is in draft form.\n\nFEMA-IT\xc2\xad FEMA did not have an operational alternate processing site for           for a                 FEMA-IT\xc2\xad\n  07-22  majority of the fiscal year. We determined that the alternate processing site in                 08-22\n                         has redundant servers in place for the                Database\n         effective as of June 2007.\n\nFEMA-IT\xc2\xad     FEMA lacks          backup testing procedures. Additionally, we determined                 FEMA-IT\xc2\xad\n  07-23      that the       backups are not periodically tested.                                          08-23\nFEMA-IT\xc2\xad     FEMA lacks           backup testing procedures. Additionally, we determined                FEMA-IT\xc2\xad\n  07-24      that the        backups are not periodically tested.                                         08-24\n\nFEMA-IT\xc2\xad We noted that the              contingency plan has not been tested on an annual               FEMA-IT\xc2\xad\n  07-25  basis, per DHS 4300A.                                                                            08-25\n\nFEMA-IT\xc2\xad During our review of user access rights for the approval of                             X\n  07-26                   we noted that excessive access rights existed. Specifically,\n         we determined that three (3) people were authorized to approve\n                       s; however, one (1) individual was transferred to another DHS\n         agency. Therefore, this person\xe2\x80\x99s job responsibilities no longer required this\n         access nor was this individual a current FEMA employee.\n\n             Upon notification of this issue, FEMA took corrective action and removed the\n             individual\xe2\x80\x99s access rights.\n\nFEMA-IT\xc2\xad     We noted that testing documentation for            application level changes is     X\n  07-27      not consistently documented or performed timely.\nFEMA-IT\xc2\xad     Per DHS 4300A, all changes to major applications must be formally                          FEMA-IT\xc2\xad\n  07-28      approved, tested and documented prior to the change being implemented. For                   08-28\n             the test of this control, we selected a sample of nine (9)         application\n             level changes. We noted that one (1) out of the sample did not have testing\n             performed.\n\nFEMA-IT\xc2\xad We noted that the Technical Review Committee (         ) approvals for                         FEMA-IT\xc2\xad\n  07-29  application level emergency changes are not consistently documented.                             08-29\n         Specifically, we determined that five (5) out of a sample of eight (8)\n         application level emergency changes did not gain        approval.\n\n\n\n\n                                                             31\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial \n\n                                        Statement Audit \n\n\x0c                                                                                                        Appendix C\n\n                                        Department of Homeland Security\n                                    Federal Emergency Management Agency\n                                    Information Technology Management Letter\n                                               September 30, 2008\n\n                                                                                               Disposition\nNFR No.                                      Description                                     Closed   Repeat\n\nFEMA-IT- We determined that excessive access is designed to be permitted within                X\n\n  07-30 \n         to make offline changes to the general ledger account tables via the\n                                                                           Group. We\n          identified six (6) users in the        group that have the ability to make\n          offline changes to the general ledger account tables, which are not within their\n          job responsibilities.\n\nFEMA-IT\xc2\xad             does not timeout after a period of inactivity. Additionally, we           X\n\n  07-31 \n determined that all        workstations use a password protected screensaver\n          after fifteen (15) minutes of inactivity, which is not in compliance with DHS\n          4300A.\n\n                      access is not reviewed on a periodic basis to determine if access is\n             valid and commensurate with job responsibilities.\n\nFEMA-IT\xc2\xad While a standard form has been developed for documenting                   change     X\n\n  07-32 \n requests,         change management procedures have not been \n\n          documented. \n\n\n            System software change management procedures have not been developed or\n            implemented. Additionally, installation of the operating system upgrade in\n            FY 2007 was not formally documented or approved.\n\nFEMA-IT\xc2\xad NFIP has made improvements in the area of Administrator account                       X\n\n  07-33 \n management. However, we noted that system activity logs are not being\n\n          reviewed. \n\nFEMA-IT\xc2\xad NFIP has updated the                                                                  X\n  07-34               baseline configuration document. However, we noted that\n          procedures have not been developed which require approvals prior to\n          implementation. Additionally, of 30 changes selected, 14 changes did not\n          have documented Operations Service Request forms or documented\n          approvals.\n\nFEMA-IT\xc2\xad A system programmer                  had write access to the                          X\n  07-35                         and              datasets of the\n         production member. NFIP removed the system programmer\xe2\x80\x99s access shortly\n         after this finding was identified.\n\nFEMA-IT- Access to the                             excel files is excessive. Specifically,     X\n  07-36  we identified that modify and write access permissions to the excel files are\n         inappropriate for five individuals of the Bureau of Finance and Statistical\n         Control group.\n\n\n\n\n                                                              32\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial \n\n                                        Statement Audit \n\n\x0c                                                                                                         Appendix C\n\n                                       Department of Homeland Security\n                                   Federal Emergency Management Agency\n                                   Information Technology Management Letter\n                                              September 30, 2008\n\n                                                                                               Disposition\nNFR No.                                     Description                                      Closed    Repeat\n\nFEMA-IT- We noted there is excessive access to             application software and            X\n  07-37  support files. Specifically, we noted that all individuals within the Bureau of\n         Finance and Statistical Control group have modify and write access to the\n                   application software and support files.\n\nFEMA-IT\xc2\xad NFIP has not documented incompatible duties within                developed                  FEMA-IT\xc2\xad\n  07-38  policy and procedures regarding segregation of duties, or implemented                          08-38\n         segregation of duties controls within          . All users of           have full\n         application level access.\nFEMA-IT\xc2\xad The           contingency plan has not been tested. As a result, the system                  FEMA-IT\xc2\xad\n  07-39  fail-over capability for the         alternate processing site has not been                    08-39\n         tested.\n\n            The NFIP Disaster Recovery and COOP does not identify the following:\n\n            The            and      alternate processing facility; and      critical data\n            files are not documented.\n\nFEMA-IT- The rules of behavior (ROB) forms are not consistently signed prior to users          X\n  07-40  gaining access to the NFIP Bureau                           ). Specifically,\n         we determined that three (3) out of a sample of twelve (12) new NFIP Bureau\n               users did not sign the ROB prior to obtaining NFIP Bureau        access.\n\nFEMA-IT- We determined that policies and procedures over periodic review of                    X\n  07-41  access lists have been documented. However, we noted that the periodic\n         review determining if logical user access is valid and consistent with job\n         responsibilities is not effective as an instance of excessive system developer\n         access was identified within\n\nFEMA-IT- We determined that periodic review policies and procedures have not been              X\n  07-42  developed for access to the NFIP Bureau        room. As a result, we noted\n         that there are two (2) employees with excessive access to the NFIP Bureau\n                room.\n\nFEMA-IT- The NFIP Bureau           has been configured to permit users to reuse prior          X\n\n  07-43 \n passwords after five (5) iterations which is not in compliance with the DHS\n          4300A.\nFEMA-IT- We noted that proactive vulnerability scanning is not performed over                  X\n\n  07-44 \n backend database or the NFIP Bureau          .\n\n\n\n\n                                                            33\n  Information Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial \n\n                                        Statement Audit \n\n\x0c                                                                                Appendix D\n\n                             Department of Homeland Security\n\n                         Federal Emergency Management Agency \n\n                         Information Technology Management Letter \n\n                                    September 30, 2008\n\n\n\n\n                                       Appendix D \n\n\n                                Management Comments \n\n\n\n\n\n                                            34 \n\nInformation Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial\n                                      Statement Audit\n\x0c                                                                                Appendix D\n\n                             Department of Homeland Security\n\n                         Federal Emergency Management Agency \n\n                         Information Technology Management Letter \n\n                                    September 30, 2008\n\n\n\n\n                                            35 \n\nInformation Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial\n                                      Statement Audit\n\x0c                             Department of Homeland Security\n\n                         Federal Emergency Management Agency \n\n                         Information Technology Management Letter \n\n                                    September 30, 2008\n\n\n                    Report Distribution\n\n                    Department of Homeland Security\n\n                    Secretary\n                    Acting Deputy Secretary\n                    Chief of Staff for Operations\n                    Chief of Staff for Policy\n                    Acting General Counsel\n                    Executive Secretariat\n                    Under Secretary, Management\n                    Acting Administrator, FEMA\n                    DHS Chief Information Officer\n                    DHS Chief Financial Officer\n                    Chief Financial Officer, FEMA\n                    Chief Information Officer, FEMA\n                    Chief Information Security Officer\n                    Assistant Secretary, Policy\n                    Assistant Secretary for Public Affairs\n                    Assistant Secretary for Legislative Affairs\n                    DHS GAO OIG Audit Liaison\n                    Chief Information Officer, Audit Liaison\n                    FEMA Audit Liaison\n\n                    Office of Management and Budget\n\n                    Chief, Homeland Security Branch\n                    DHS OIG Budget Examiner\n\n                    Congress\n\n                    Congressional Oversight and Appropriations Committees as Appropriate\n\n\n\n\n                                               36 \n\nInformation Technology Management Letter for the FEMA Component of the FY 2008 DHS Financial\n                                      Statement Audit\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4199,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'